PCI Requirement 10.4 – Using Time-Synchronization Technology, Synchronize All Critical System Clocks and Times

by Randy Bartels / May 1st, 2018

Why do System Clocks and Times Need to be Synchronized?

Remember how PCI Requirement 10.3 requires that date and time of events are captured in log entries? PCI Requirement 10.4 dives into time management and what is required of that date and time. It requires that organizations should use time-synchronization technology to synchronize all critical system clocks and times, and ensure that the following is implemented for acquiring, distributing, and storing time:

  • Critical systems have the correct and consistent time.
  • Time data is protected.
  • Time settings are received from industry-accepted time sources.

Why do organizations need to synchronize all critical system clocks and times? Let’s say your organization has 20 machines and each one is synchronized differently. Wouldn’t it be incredibly difficult to create a chronological order of events, when the time on each machine is different? The PCI DSS guidance for PCI Requirement 10.4 states, “When clocks are not properly synchronized, it can be difficult, if not impossible, to compare log files from different systems and establish an exact sequence of event (crucial for forensic analysis in the event of a breach). For post-incident forensics teams, the accuracy and consistency of time across all systems and the time of each activity is critical in determining how the systems were compromised.”

To verify compliance with PCI Requirement 10.4, an assessor will want to examine configuration standards and processes for time-synchronization technology.

Now that you have logging enabled and are logging the correct events, remember that one of the requirements in PCI Requirement 10.3 said that we have to capture the time and date. From a forensics perspective, if we have 20 machines and each of these machines are on a different time sync, it makes it difficult to create a chronological event of how things occur. PCI Requirement 10.4 establishes the need to have some type of time management within your organization, and that we have central points of time management and configuration standards around how we’re going to be configuring the time management in our environment to operate.